1 Mike Davis Risk Management / Cyber Security Consultant, MSEE, CISSP (Virtual CISO) Cloud & Mobile Security What really matters? -- Clarifying the fog of cyber security UoP CyberCon 6 June Detailed Cloud Security paper at:
2 SO what does matter in Cyber? CYBER is fundamentally all about TRUST and DATA ( Identity, authentication, secure comms - -- provenance, quality, pedigree, assured) It s NOT about expensive new cyber capabilities / devices but more about the interoperability glue (distributed trust, resiliency, automation, profiles, etc) 90+% of security incidents are from lack of doing the basics! Conduct Effective Security Continuous Monitoring (SCM / SIEM) a MUST DO! USE enforced: cyber hygiene, enterprise access control, & reduce complexity (APLs) Shift from only protecting the network, to the DATA security itself PRIVACY centric view Embrace your Risk Management Plan LIVE IT! Have an enforceable security policy what is allowed / not train to it KNOW and monitor your baseline - Protect the business from the unknown risks Employ a due diligence level of security then transfer residual risks! When in doubt, do the cyber BASICS well!!! An achievable 90-95% solution to MOST vulnerabilities stabilize the environment! 2
3 Integrated Enterprise RISK Management (RM) * Making privacy protection a full organizational contact sport * Company Vision (business success factors) Security Policy (mobile, social media, etc) C&A / V&V (effective / automated) Known Baseline (security architecture) CMMI / Sustainment (SoPs / processes) Privacy by Design (PbD) (manage PII, HIPAA, compliance ) RM Plan Insider Threat Company Intel (open source, FB, etc) SCM / SIEM (monitor / track / mitigate) MSS / CISO (3 rd party IV&V support) Data Security (DLP, DRM, reputation based methods) Cyber insurance (broker & legal council) Education / Training (targeted, JIT, needs based) Cyber AND Privacy must be embedded in your enterprise risk management plan (RMP) A cyber vision integrates the RMP with the NIST Cybersecurity Framework
4 B.L.U.F. - Cloud Security Summary Security in the cloud is likely at least at good as your on premise Security is 95% the SAME everywhere IA controls ownership changes Don t sell FUD leverage security services instead MCC, IdAM, etc Few are all in the 100% - Hence TWO cyber environments MONITORING - SCM / SIEM integrate cloud / status metrics Service Level Agreements (SLA) not sufficient trust but verify Encrypt everywhere with effective enterprise key management Data owners always accountable for PII / privacy / compliance Cloud security is all about TRUST and managing RISKS It s your data = only you can minimize data breaches
5 Cloud Security So WHAT must we do (top 10)? Effective on premise security posture! (defense in depth / breadth) (Especially effectively configured firewalls, and browsers strictly controlled) Encrypt everywhere, enterprise key management system Enforced enterprise access control / management policy (IdAM SAML, OpenID, etc) Effective cyber hygiene (patching, critical settings, processes, etc) Secure your own code / applications / services (PaaS) Monitoring at various levels (SCM / SIEM, Log management, auditing, forensics) Understand your cloud service provider security model (build into the contract) (who is responsible for what, SLAs, preplan alternatives, use Security-as-a-Service) Enterprise data management strategy (Discover, classify and control your data build in privacy by design) Keep informed / share cyber information (Sector ISACs, US-CERT, CyberTECH) Risk Management Plan / Incident response plan (ISO / SAS 70, Plan ahead of time what to do / who to contact WHEN breached) It s your data = only you can minimize data breaches
6 Vendor managed You manage Vendor managed You manage Vendor managed You manage Data centric services, cloud ownership and security evolution PaaS objective for combined / hybrid environments (with premise and cloud) On-premises Pre-cloud Infrastructure as a Service Cloud v1 Platform as a Service Cloud v2 Software as a Service Application Application Application Application Data Data Data Data Middleware Middleware Middleware Middleware OS OS OS OS Virtualization Virtualization Virtualization Virtualization CPU/Storag e CPU/Storag e CPU/Storag e CPU/Storag e Networking Networking Networking Networking Securing the data and application layers and inoculates them from most lower layer risks
7 Shift from only protecting the network, to the DATA itself! (e.g., data centric security / privacy focus) Cloud Security Factoids The cloud security challenges are principally based on: - Trusting vendor's security model / Indirect administrator accountability - Customer inability to respond to audit findings / Obtaining support for investigations - Proprietary implementations / Multi-tenancy / - Loss of physical control / These problems exist in most 3rd party management models - Taxonomy of fear ( FUD ) Security is a difficult task quantify in cloud computing. Different forms of attacks in the application side and in the hardware components Attacks with catastrophic effects needs one security flaw Need to account for the IA triad C I A Privacy issues raised via massive data mining Increased attack surface Auditability and forensics (out of control of data) Legal quagmire and transitive trust issues Areas that are maturing well, enhancing enterprise risk management (re: Gartner): Consensus on what constitutes the most significant risks, Cloud services certification standards, Virtual machine governance and control (orchestration), Enterprise control over logging and investigation, Content-based control within SaaS and PaaS, and Cloud security gateways, security "add-ons" based in proxy services
8 Cloud Security Factoids (cont) Cloud Security Alliance (CSA) notorious nine top threats (2013): 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues (and malware is here too of course) CSA 15 domains of concern Information lifecycle management Governance and Enterprise Risk Management Compliance & Audit General Legal ediscovery Encryption and Key Mgt Identity and Access Mgt Storage Virtualization Application Security Portability & Interoperability Data Center Operations Management Incident Response, Notification, Remediation Architectural Framework "Traditional" Security impact (business continuity, disaster recovery, physical security) Shift from only protecting the network, to the DATA itself! (e.g., data centric security / privacy focus)
9 FireEye Technical Cyber Predictions Windows-based remote-access tools (RATs) and backdoors migrate to OSX Mobile ransomware that steals cloud accounts and encrypts the data Phone-based two-factor authentication becomes inadequate The rate of cataclysmic events such as Heartbleed and Shellshock increases. Linux point-of-sale malware increases PoS attacks will increase in frequency and hit a broader group of victims Linux malware triggers an Internet of Things security problem New security threats for Internet-connected devices Use-after-free exploits decline Nix-side vulnerabilities (Unix and Linux) will increase.
10 FireEye Business Cyber Predictions Businesses stop paying for anti-virus software. SIEM spending plummets Threat intelligence continues to be frothy Fraud goes mobile Supply-chain attacks increase Supply-chain attacks increase Cyber insurance becomes a key part of cyber security plans More incident response plans fail, with greater impact Fewer organizations run their own security operation centers Mindsets change from a peacetime to wartime footing Security spending continues its shift from prevention alone to a mix of prevention, detection, analysis, and response
11 Key Resources and References Bottom line: we highly recommend following both the NIST and CSA cloud guidance: https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf As well as an overall, enterprise, e2e, risk management approach (RMF & FedRAMP) Cloud computing checklist GREAT sample! Part A is security / risk management, part B is compliance and part C is further due diligence https://www.lawsociety.bc.ca/docs/practice/resources/checklist-cloud.pdf Practical Guide to SLAs Cloud based Security Checklist Common Metrics to Have in Your Cloud SLA Checklist for a Watertight Cloud Computing Contract MORE cloud info / views / implementation guidance in back-up
12 NOW, on to Mobile Security as it s everywhere: 5 Notional Trends with significant implications for the enterprise Mobile is primary 91% of mobile users keep their device within arm s reach 100% of the time Source: China Mobile 50k survey ; Morgan Stanley Research; 2011 Insights from mobile data provide new opportunities 75% of mobile shoppers take action after receiving a location based messages Source: JiWire Mobile Audience Insights Report Q42011 Mobile is about transacting 96% year to year increase in mobile cyber Monday sales between 2012 and 2011 Source: IBM Coremetrics Retail Data as published in 11/24/12 IBM Press Release Mobile must create a continuous brand experience 90% of users use multiple screens as channels to create integrated experiences Mobile enables the Internet of Things Source: Time, Inc Global Machine-to-machine connections will increase from 2 billion in 2011 to 18 billion at the end of 2022 Source: GSMA, Machina Research Embrace mobile security and enable users integrate concerns into risk management plan
13 Uniqueness of Mobile Mobile devices are shared more often Mobile devices have multiple personas Mobile devices are diverse. Mobile devices are used in more locations Mobile devices prioritize the user Personal phones and tablets shared with family Enterprise tablet shared with coworkers Social norms of mobile apps vs. file systems Work tool Entertainment device Personal organization Security profile per persona? OS immaturity for enterprise mgmt BYOD dictates multiple OSs Vendor / carrier control dictates multiple OS versions A single location could offer public, private, and cell connections Anywhere, anytime Increasing reliance on enterprise WiFi Conflicts with user experience not tolerated OS architecture puts the user in control Difficult to enforce policy, app lists Why would anyone want to limit the iphone?
14 Mobile Security Challenges Faced By Enterprises Achieving Data Separation & Providing Data Protection Adapting to the BYOD/ Consumerization of IT Trend Providing secure access to enterprise applications & data Developing Secure Applications Personal vs corporate Data leakage into and out of the enterprise Partial wipe vs. device wipe vs legally defensible wipe Data policies Multiple device platforms and variants Multiple providers Managed devices (B2E) Unmanaged devices (B2B,B2E, B2C) Endpoint policies Threat protection Identity of user and devices Authentication, Authorization and Federation User policies Secure Connectivity Application life-cycle Static & Dynamic analysis Call and data flow analysis Application policies I n t e r r e l a t e d Designing & Instituting an Adaptive Security Posture Policy Management: Location, Geo, Roles, Response, Time policies Security Intelligence Reporting
15 Thinking Through Mobile Management and Security IBM Mobile Management and Security Strategy Management and safe use of smartphones and tablets in the enterprise Secure access to corporate data and supporting privacy Visibility and security of enterprise mobile platform At the Device On the Network For the Mobile App Enroll Register owner and services Configure Set appropriate security policies Monitor and Manage Ensure device compliance and mange Telecom expenses Reconfigure Add new policies over-the-air De-provision Remove services and wipe Authenticate Properly identify mobile users Encrypt Secure network connectivity Monitor and Manage Log network access and events manage network performance Control Allow or deny access to apps Block Identify and stop mobile threats Develop Utilize secure coding practices Test Identify application vulnerabilities Monitor and Manage Correlate unauthorized activity and Manage app performance Protect Defend against application attacks Update Patch old or vulnerable apps Internet Corporate Intranet
16 Getting Started with Mobile Security Solutions First - what are your operational priorities? Business Need: Protect Data & Applications on the Device Prevent Loss or Leakage of Enterprise Data Wipe Local Data Encryption Protect Access to the Device Device lock Mitigate exposure to vulnerabilities Anti-malware Push updates Detect jailbreak Detect non-compliance Protect Access to Apps App disable User authentication Enforce Corporate Policies Business Need: Protect Enterprise Systems & Deliver Secure Access Provide secure access to enterprise systems VPN Prevent unauthorized access to enterprise systems Identity Certificate management Authentication Authorization Audit Protect users from Internet borne threats Threat protection Enforce Corporate Policies Anomaly Detection Security challenges for access to sensitive data Business Need: Build, Test and Run Secure Mobile Apps Enforce Corporate Development Best Practices Development tools enforcing security policies Testing mobile apps for exposure to threats Penetration Testing Vulnerability Testing Provide Offline Access Encrypted Local Storage of Credentials Deliver mobile apps securely Enterprise App Store Prevent usage of compromised apps Detect and disable compromised apps
17 GAO report on mobile vulnerabilities KEY risks / concerns: Mobile devices often do not have passwords enabled. Two-factor authentication is not always used when conducting sensitive transactions. Wireless transmissions are not always encrypted. Mobile devices may contain malware. Mobile devices often do not use security software. Operating systems may be out-of-date. Software / patches on mobile devices may be out-of-date. Added risk examples in backup Mobile devices often do not limit Internet connections. Many mobile devices do not have firewalls to limit connections. Mobile devices may have unauthorized modifications. (known as "jailbreaking" or "rooting") Communication channels / Bluetooth may be poorly secured. --- BYOD is NOT free --- Major protection methods: Enable user authentication: Enable two-factor authentication for sensitive transactions: Verify the authenticity of downloaded applications: Install antimalware and a firewall: Install security updates: Remotely disable lost or stolen devices: Enable encryption for data on any device or memory card: Enable whitelisting (on phones too!) : Establish a mobile device security policy: Provide mobile device security training: Establish a deployment plan: Perform risk assessments: Manage hygiene = configuration control and management: 17
18 QR Codes Are Ubiquitous Product Labels Advertising Roof Top QR Code - Webinar registration DANGER - Just what data, code, malware is in the QR code??? Sticker on sign 18 They get accepted as-is in your phone!
19 What is MCC? Mobile cloud computing (MCC) at its simplest, refers to an infrastructure where both the data storage and data processing happen outside of the mobile device. Mobile cloud applications move the computing power and data storage away from the mobile devices and into powerful and centralized computing platforms located in clouds, which are then accessed over the wireless connection based on a thin native client. Skinny thin client approach applied to phones, with the backend the cloud.
20 Industry accepted practices and standards When applied to mobile devices, a security framework suggests the following security controls, with actual requirements varying by deployment (aligns with GAO recommendations): (a) identity and access, (b) data protection, (c) application security, (d) access and integrity control, (e) governance and compliance, and (f) education. So what tends to be the collated, consensus, best practices that are commonly recommended as the essential security practices in most mobile security guides and reports they are detailed in the appendix!
21 What s a company to do? Enterprise Mobile Management (EMM) strategy Enforce the organization s mobile device policy (people, process, product) Integrates device control (BYOD, etc) with data management Mobile Device Management (MDM) (device control) Implement containerisation separate out company data integrate and enforce encryption (no user bypass) Employ anti-theft / content security services (e.g., remote wipe, etc) Monitor installed apps and enforce items (a) (e) Complement MDM with MAM Mobile Application Management Software delivery, software licensing, configuration, application life cycle management (ALM) Consider Mobile Content Management (MCM) for sharing data Provide an organizational sponsored / approved Apps Store Require the use a VPM no opt outs. On premise cyber suite baseline is well monitored and maintained
22 General best practices for mobile phone users / end points: 1. Use a PIN, password or pattern to lock your phone. 2. Download apps only from trusted stores. 3. Back up your data. Yes there are apps for that 4. Keep your operating system and apps updated. Use the auto-update feature as you do on your PC. 5. Use a mobile anti-virus app (or two the major free ones have phone versions) 6. Use a secure messaging / text app 7. Log out of sites after you make a payment / store sensitive data 8. Turn off Wi-Fi and Bluetooth when not in use. 9. Avoid giving out personal information (texts can be sent everywhere!) 10. Install a security monitoring app. 11. Avoid using free wireless access points. 12. Minimize use of the mobile hot spot capability anonymity?
23 References / Bibliography One of the BEST ways to show your mobile capability meets the major federal security requirements, and go beyond just compliance, is to follow the: NSA/CSS Mobility Security Guide (V2.3) That addresses both the Architecture and Certification aspects - a MUST DO! https://www.nsa.gov/ia/_files/mobility_security_guide.pdf IBM Securing Mobile devices in the business environment Check Point Impact of mobile devices on information security https://www.checkpoint.com/downloads/products/check-point-mobile-security-survey-report.pdf MobileIron Mobile first whitepaper Requirements%20Analysis%20-%20White%20Paper.pdf --- Federal government (FISMA, et al) - FIRST for all environments it is best to follow the excellent NIST mobile devices security guide! THEN follow the excellent DoD CIO overview and guide (and mobile site). https://cio.gov/wp-content/uploads/downloads/2013/05/federal-mobile-security-baseline.pdf https://cio.gov/creating-a-foundation-for-mobile-security/
24 SO what does matter in Cyber? Be that the cloud or mobile security! CYBER is fundamentally all about TRUST and DATA ( Identity, authentication, secure comms - -- provenance, quality, pedigree, assured) It s NOT about expensive new cyber capabilities / devices but more about the interoperability glue (distributed trust, resiliency, automation, profiles, etc) 90+% of security incidents are from lack of doing the basics! Conduct Effective Security Continuous Monitoring (SCM / SIEM) a MUST DO! USE enforced: cyber hygiene, enterprise access control, & reduce complexity (APLs) Shift from only protecting the network, to the DATA security itself information centric view Embrace your Risk Management Plan LIVE IT! Have an enforceable security policy what is allowed / not train to it KNOW and monitor your baseline - Protect the business from the unknown risks Employ a due diligence level of security then transfer residual risks! When in doubt, do the cyber BASICS well!!! An achievable 90-95% solution to MOST vulnerabilities stabilize the environment! 24
25 Backups CLOUD security and Mobile Security
26 Cloud Security Factoids (cont) Shift from only protecting the network, to the DATA itself! (e.g., data centric security / privacy focus) Locking Down the Cloud: 18 Security Issues Faced by Enterprise IT (2015) : 1. Transparency is Crucial 2. Regulations can't keep up 3. Continuous real-time security audits 4. Academic world is innovating but out of touch 5. Not looking at the big picture 6. Mobile/BYOD brings additional challenges 7. Bare-metal security features not in VM 8. Difficult to harvest entropy in VM 9. Accidental key sharing in appliances 10. Leave security implementations to the experts 11. Data partitioning for hybrid clouds 12. Do consumers really care about security? 13. Products can end up being used in industries they aren't designed for 14. Security guarantees not "provable 15. Containers and portable VM snapshots are too portable 16. Encryption efforts are vulnerable if physical access to a machine is available 17. Controlling physical access to the data center is not enough 18. Privacy and security are at odds
27 27 Data SMEs - #1 Cloud Security issues The proper mitigation of security risks before and throughout cloud adoption Adequate understanding of the cloud-based service provider. The lack of understanding that they are already in the cloud and they should have already been protecting themselves accordingly. Understanding what "the cloud" is and how cloud computing should be utilized given unique business requirements A lack of trust in cloud security. How to protect their environment from data leaks and/or malicious attacks. Building confidence in the security of the cloud is an important step in encouraging migration. The lack of analysis on actual application code for vulnerabilities. Who do you trust?
28 27 Data SMEs - #1 Cloud Security issues Cloud environments provide very weak access logging and access authentication The three A s: authentication, authorization, access control. The financial and business continuity exposure for your company. Control Protecting data while 'in flight' (transferring/sharing) as well as 'at rest' (storage). The device that is being used to attach to the Cloud. Complacency Believing that a cloud provider is 1) better at protecting sensitive data, and 2) is as vested in protecting your data as you are. The need for data replication within the cloud infrastructure so that it can be processed, and tasks, such as marketing can be effectively and safely executed.
29 27 Data SMEs - #1 Cloud Security issues How to evaluate the risk of using a particular vendor. Going into a cloud system too quickly and basically not paying any attention to security. Uninformed users. The "public" part of the public cloud. IT governance, compliance and the risks of cloud computing. The fact that once you migrate to the cloud-computing platform, you can no longer wrap your data in your own security tool (DLP, Data Classification, Filtering, etc). A belief that it is separate from their local data security. Recommend moving test/dev or non-critical workloads off premise. The fact that cloud providers build and manage massive pools of compute and storage resources and that are "rented" to many tenants allowing for huge economies of scale
30 Implementation Recommendations We propose both a strategic (facilitating inter-organization harmonization)(1-9) and tactical (execution at the organization level)(10-15) set of recommendations. 1. Use a multi-tier defense of data (encryption, key management, data ownership, and data usage) in the cloud, develop a data-centric security view of the environment; 2. Establish FedRAMP Security Control Baseline as the overall notional security control baseline for all cloud environments for consistency of implementation and verification; 3. Given the standard IA controls that are called out in the security controls baseline, divide and align security responsibilities between the organization and cloud service providers, establish clear inheritance oversight processes; 4. Implement a common cloud computing security architecture in all connected data centers; accommodating data at rest, in process and transit between entities. 5. Adopt NIST s Risk Management Framework (RMF) for evaluating security risk; 6. Leverage FedRAMPs provisional authorization process for cloud service providers;
31 Implementation Recommendations We propose both a strategic (facilitating inter-organization harmonization)(1-9) and tactical (execution at the organization level)(10-15) set of recommendations. 7. Execute continuous monitoring concepts for networks and systems, leverage NIST s approach, harmonize with DHS s SCM efforts; 8. Develop advanced analytics for monitoring internal and external data usage; 9. Train the Cyber Workforce concerning new cloud computing roles and responsibilities. 10. Maintain a detailed security policy with active monitoring and control, to support enforcement. Also quantify the processes for key risk areas, like: BYOD, data control, data loss prevention, effective monitoring, etc) 11. Maintain a cyber security architecture that accommodates enterprise end-point security in both: (1) the organic / on-site IT/security environment and (2) the cloud provider security capabilities / controls. Use the CSA, NIST and FedRAMP guidelines, including alternative sources. Quantify all IA controls, assign roles and responsibility for all, including inheritance aspects
32 Implementation Recommendations We propose both a strategic (facilitating inter-organization harmonization)(1-9) and tactical (execution at the organization level)(10-15) set of recommendations. 12. Conduct a security assessment of the in-house/on-site environment define the baseline, fix critical vulnerabilities and then also employ monitoring / SCM / SIEM (which must also communicate with cloud providers reporting methods) 13. Use encryption in all aspects of data / communications, especially externally stored data. End to end encryption with reliable key management is a particularly powerful defensive measure. Leverage security as a service providers for a third party monitoring. 14. Ensure cloud services, as instantiated in a comprehensive service level agreement (SLA), are part of the overall risk management plan, including COOP and alternate providers / data storage repositories, etc. 15. Develop the organization s specific computing outsourcing needs, then distill the cloud aspects into a cloud provider checklist use as a tool for periodic status reviews as well - embed all capabilities and metrics in the SLAs.
33 Notional Data Centric Architecture iso the typical information environment IA / Security / cyber (e.g., defense in depth (DiD)) Supports quality / assured data (with pedigree / provenance) Cyber must be preserved in the full data AND capabilities life-cycle Must accommodate BOTH in-house and cloud IA controls / inheritance What IA/security capabilities are needed for the DATA itself? OMG / DDS Reputation-based Security DATA Storage Services Apps Host / device Behavior monitoring How does the DATA move about? Business logic Middleware Must account for the four Vs Volume, Variety, Velocity and Veracity transport FW/IDS/IPS Continuous monitoring Data is either at rest, being processed OR in transit DCA Security = DCPS, DDSI, DataReader, DataWriter, Pub / Sub. Java, mobile code, widgets, storage SW, middleware, services, ESB, etc
34 Backups Mobile Security
35 A - Identity and access control No device should gain access to , LAN, VPN, Wi-Fi or other services without some form of device authentication involving X.509 and other similar certificates. User connectivity could be limited to a default number of devices, such as one smartphone and one tablet. Users operating under enrollment limits will be less likely to allow personal devices to get lost, stolen, sold or swapped without notifying the company. Enforce passwords to access the device - enable user authentication, twofactor authentication for sensitive transactions automatically lock the device after 15 minutes of non-use. If virtual private network (VPN) access to corporate intranet is allowed, include capability to control what IP addresses can be accessed and when reauthentication is required for accessing critical resources. Preboot authentication (PBA) should never be deactivated on mobile workstations for user convenience. The PBA should be configured to reassert itself if the system is booted without the LAN connection.
36 B - Data protection Users mingle and copy information by forwarding and saving s and attachments, and by sharing and saving local and cloud copies through an endless variety of apps and sync tools. These data fragments cannot be easily traced or audited, even if the mobile device is managed by the company. data can be tagged and selectively deleted, but other copies remain. Leakage problems are gaining attention on small devices due to a lack of standards for sandboxing data; lack of standard enterprise apps; lack of data loss prevention (DLP) methodologies; and convenient cloud synchronization services. Protect sensitive and confidential data at all costs. Especially when using BYOD. Encrypt business data stored and during transmission on the device and memory card, tied to the user account. The choice and enablement of encryption methods should be made as part of the "opt-in" agreement for all mobile programs. Include the capability to locate or lockout or wipe the device remotely. Set a timeout to lock the device when it is not used or has multiple failed logons. Periodically back up data on the device so data restore is possible after the lost device has been recovered Enable automatic encryption for data on any device or memory card. Monitor and account for data continuously using both audit tools and DLP / DRM methods. Provide seamless, secure back up of device data, including in the cloud and corporate data shares. Reduce file sharing exposures with a file sync and share service or equivalent. Audit logs should track copied files and store results remotely to support DLP/DRM and compliance. Segregation of locally stored business data can be achieved by virtualization, container solutions, user accountbased encryption instead of FDE. Using a workstation on a bootable USB drive may apply
37 C - Application security Applications are a clear major source of data leakage, malware and security concerns overall; thus an overall corporate applications policy and process is a key management tool. Many organizations have developed their own applications store where only tested and approved apps are allowed on any mobile device. The repertoire of organizationally controlled apps offered then caters to all aspects of the business and common consumer apps. Download business applications from controlled locations; Run only certified business applications. Monitor installed applications and remove those identified to be untrustworthy or malicious. Provide efficient installation and configuration of security applications on devices; routinely scan and verify the authenticity of downloaded applications.
38 D Network Access and integrity control Personal, non-company laptops should not be allowed on company LANs or VPN tunnels without going through network access control (NAC) tests, which include a check for malware protection and misconfiguration. Systems that don't belong on the LAN can be redirected to the Internet or a limited access zone. Compatible endpoint tools may supplement and enhance the NAC policy. External media writing should be deactivated if it is not needed to prevent "sideways" movement of business data outside of company policies. Major endpoint protection and mobile data protection vendors can detect the insertion of flash drives or other media, and offer a range of FDE, full volume / folder, and per-file encryption choices, combined with device control and governed by project keys, passwords, etc. Run antimalware software to detect malware in storage and in memory. Run a personal firewall to filter inbound and outbound traffic. Align the MDM and IAM capabilities and processes for a well-integrated security posture. Integrate the company s VPN gateway, so a device s security posture is a dependency for access. Automate registration and inventory of mobile devices; remotely disable lost or stolen devices. Automatic update of security patches, polices and settings monitor for mobile OS changes. Enable whitelisting web sites and using application signatures, certificates. Employ Microsoft Exchange ActiveSync (EAS). Integrate a secure enterprise DNS for mobile use, as DNS spoiling / spoofing is a major threat. Consider using Web/ gateway filter capabilities or cloud and Web services to perform blocking and malware detection/prevention on mobile devices. Consider container solutions for protecting business information, ranging from encryption, selfdefending and security- wrapped applications to rights-managed document viewers. Invest in NAC and MDM tools that verify that the devices are configured and operating properly.
39 E - Governance and compliance Security policies need to account for overarching business information requirements. Each device's deficiencies to fulfill the common requirements should be identified and mitigated. For example, set a policy that no device, personal or company-owned, should be allowed to access business data until appropriate encryption controls are put in place. Incorporate mobile security into the company s overall risk management program. Maintain logs of interactions between mobile devices and the company s VPN gateway and data transmission to and from servers within the intranet. Include mobile devices in the company s periodic security audit. Specify detailed roles and responsibilities in managing and securing the devices. Periodic reporting of security policy enforcement status. Establish a deployment plan, including periodic updates and continuous risk assessments. Provide a periodic compliance report to the C-suite / D & O s / business line managers. Include vendor, product vetting, status, trends. Prioritize security policy choices based on the way that information will be accessed and shared.
40 F - Education and training No security policy can be complete without fully addressing the user / people part of the cyber equation (along with processes and product / technology) where effective education and training can be a significant risk reduction endeavor. It s not enough to have employees just sign a user agreement, but rather actually keep them fully aware and adequately trained to do their part in supporting mobile security. Especially as it s a general rule of thumb that humans are the root cause of around 90% of all security incidents where for example, phishing attacks are the entry point for more than 90% of malware insertions. Provide effective and periodic employee education on securing mobile devices; use personal examples that translate to the work force as well the training effect will last a lot longer. The roles and responsibilities in the security policy must clearly delineate user tasks; establish a monitoring program to ensure awareness and compliance / enforcement when needed.
41 Varied mobile risks and security issues The key concerns therein tend to be common and user based: Employees accidentally accessing malicious sites or downloading malicious content. Employee awareness about security policies. Employees intentionally ignoring security policies. Lost or stolen mobile devices with corporate data. Keeping security updates current. Users changing or upgrading their mobile devices. Lack of sufficient scalability of the VPN infrastructure. Inadequate integration with company network access controls or endpoint management. Inadequate user authentication.
42 Varied mobile risks and security issues The key concerns therein tend to be common and user based(cont): Mobile device jail breaking or rooting. Malicious text or SMS messaging. Inconsistent mobile device data protection policies. Insufficient data encryption. Increased costs related to supporting different mobile platforms. Compliance risks from mobile data access. Use of apps not approved by the company. Mobile malware or spyware or Trojans, bots and zero-day attacks. Poisoned domain name services (DNS).
43 Varied mobile risks and security issues The key concerns therein tend to be common and user based (cont): The lack of company employee training or awareness about responsible mobile behavior inhibits more widespread use of mobile devices. Employees often have to work around existing security policies for their jobs. Proliferation of mobile devices with confidential information and access to internal systems is an increasing security concern. Managers are not confident the mobile security policies keep them secure. Employees can unknowingly bring threats into the network via mobile devices. Mobile management and security technologies are not yet fully mature or well integrated Developing a comprehensive plan to manage mobile devices and provide greater security at the company should be top priority. Mobile security protection measures are generally weak, with little use of monitoring or metrics.
44 QR Codes Overview QR Code (Quick Response Code) Two dimensional barcode- invented by Denso Wave (Japan) Information encoded in vertical and horizontal direction Can hold up to 7,089 characters vs 20 for a standard barcode Requires QR Code reader (free mobile app scanners) As of 2012, used over much wider range of apps Commercial tracking Entertainment/ticketing Product marketing (mobile couponing for discounts) Storing a company's information (website, address) Storing personal information for use by government Business cards; vcard May appear in magazines, on signs, on buses, on business cards, or on almost any object 44 Ref:
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
End Point Security How to Secure Your Environment Learning Objectives Define Endpoint Security Describe most common endpoints of data leakage Identify most common security gaps Preview solutions to bridge
MIT SDM Systems Thinking Webinar Series Applying System Thinking Concepts in Cyber Security Architectural Design of Enterprise Network Systems By Charles Iheagwara, Ph.D, SDM 10 Outline The traditional
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
The Cloud App Visibility Blindspot Understanding the Risks of Sanctioned and Unsanctioned Cloud Apps and How to Take Back Control Introduction Today, enterprise assets are more at risk than ever before
Introduction and Overview Klaus Gribi Senior Security Consultant firstname.lastname@example.org May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
6 Things To Think About Before Implementing BYOD Kimber Spradlin, CISA, CISSP 2012 IBM Corporation Mobile Devices: Unique Management & Security Challenges Mobile devices are shared more often Mobile devices
Mobile Security and Management Opportunities for Telcos and Service Providers Lionel Gonzalez Symantec EMEA Solution architect Mike Gibson Protirus Brice Renaud Orange Business Services ST B03 - Mobile
WHITE PAPER The Cloud App Visibility Blind Spot Understanding the Risks of Sanctioned and Unsanctioned Cloud Apps and How to Take Back Control Line-of-business leaders everywhere are bypassing IT departments
Symantec Endpoint Security Management Solutions Presentation and Demo for: University System of Georgia Board of Regents Information Technology Services Executive Summary Business Requirements To migrate
Hands on, field experiences with BYOD. BYOD Seminar Brussel, 25 september 2012 Agenda Challenges RIsks Strategy Before We Begin Thom Schiltmans Deloitte Risk Services Security & Privacy Amstelveen email@example.com
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
If you can't beat them - secure them v1.0 October 2012 Accenture, its logo, and High Performance delivered are trademarks of Accenture. Preface: Mobile adoption New apps deployed in the cloud Allow access
My CEO wants an ipad now what? Mobile Security for the Enterprise Agenda Introductions Emerging Mobile Trends Mobile Risk Landscape Response Framework Closing Thoughts 2 Introductions Amandeep Lamba Manager
CMSGu2014-01 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Safe BYOD Management National Computer Board Mauritius Version
Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
5/30/12 Chris Boykin VP of Professional Services Future Com! 20 years! Trusted Advisors! Best of brand partners! Brand name customers! 1000 s of solutions delivered!! 1 5/30/12 insight to the future, bringing
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
Chief Security Strategist Symantec Public Sector Advanced Persistent Threat Further things to understand about the APT Compromised Game Networks Lulzec Anonymous/YamaTough WikiLeaks 101 Global Intelligence
Scalable, secure, and integrated device management Data Sheet: Endpoint Management and Mobility Overview The rapid proliferation of mobile devices in the workplace is outpacing that of any previous technology
WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction
Security Overview Enterprise-Class Secure Mobile File Sharing Accellion, Inc. 1 Overview 3 End to End Security 4 File Sharing Security Features 5 Storage 7 Encryption 8 Audit Trail 9 Accellion Public Cloud
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
Mobile Device as a Platform for Assured Identity for the Federal Workforce Dr. Sarbari Gupta President and CEO, Electrosoft U.S. Army Information Technology Agency (ITA) Security Forum Fort Belvoir Electrosoft
Mobile Application Security Whitepaper 4 Steps to Effective Mobile Application Security Table of Contents Executive Summary 3 Mobile Security Risks in Enterprise Environments 4 The Shortcomings of Traditional
Cloud and Mobile Security: Risks and Challenges Chong Sau Wei (CISM) chong@scan associates.net General Manager Managed Security Services SCAN Associates Berhad Seminar e Kerajaan Negeri Pulau Pinang 14
2012 Data Breach Investigations Report A study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting & Information
Securely Yours LLC IT Hot Topics Sajay Rai, CPA, CISSP, CISM firstname.lastname@example.org Contents Background Top Security Topics What auditors must know? What auditors must do? Next Steps [Image Info]
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
Effective: October 25, 2016 Symantec and the Norton brand have been entrusted by consumers around the world to protect their computing devices and digital assets. This Norton Mobile Privacy Notice tells
1. Introduction Mobile Device Management This document introduces security risks with mobile devices, guidelines for managing the security of mobile devices in the Enterprise, strategies for mitigating
Total Enterprise Mobility Presented by Wlodek Dymaczewski, IBM Wlodek Dymaczewski email@example.com www.maas360.com Top Enterprise Mobility Initiatives Embrace Bring Your Own Device (BYOD) Migrate
Top 10 Cloud Risks That Will Keep You Awake at Night Shankar Babu Chebrolu Ph.D., Vinay Bansal, Pankaj Telang Photo Source flickr.com .. Amazon EC2 (Cloud) to host Eng. Lab testing. We want to use SalesForce.com
Clouds on the Horizon Cloud Security in Today s DoD Environment Bill Musson Security Analyst Agenda O Overview of Cloud architectures O Essential characteristics O Cloud service models O Cloud deployment
LANDesk Solutions Descriptions Proven LANDesk Solutions IT departments face pressure to reduce costs, reduce risk, and increase productivity in the midst of growing IT complexity. More than 4,300 organizations
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
24 July 2013 TimeTec Cloud Security FACING SECURITY CHALLENGES HEAD-ON - by Mr. Daryl Choo, Chief Information Officer, FingerTec HQ Cloud usage and trend Cloud Computing is getting more common nowadays
Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices
RE Think Invent IT & Business IBM SmartCloud Security Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC 2014 IBM Corporation Some Business Questions Is Your Company is Secure
Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
SESSION ID: HTA-W02 That Point of Sale is a PoS Charles Henderson Vice President Managed Security Testing Trustwave @angus_tx David Byrne Senior Security Associate Bishop Fox Agenda POS Architecture Breach
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
RFI Template for Enterprise MDM Solutions 2012 Zenprise, Inc. 1 About This RFI Template A secure mobile device management solution is an integral part of any effective enterprise mobility program. Mobile
CLOUD STORAGE SECURITY INTRODUCTION Gordon Arnold, IBM SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individual members may use this material
SOLUTION BRIEF Enterprise Mobility Management Critical Elements of an Enterprise Mobility Management Suite CA Technologies is unique in delivering Enterprise Mobility Management: the integration of the
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
The ForeScout Difference Mobile Device Management (MDM) can help IT security managers secure mobile and the sensitive corporate data that is frequently stored on such. However, ForeScout delivers a complete
High End Information Security Services Welcome Trion Logics Security Solutions was established after understanding the market's need for a high end - End to end security integration and consulting company.
Mobile Application Security Sharing Session Agenda Introduction of speakers Mobile Application Security Trends and Challenges 5 Key Focus Areas for an mobile application assessment 2 Introduction of speakers
Public Cloud Security: Surviving in a Hostile Multitenant Environment SESSION ID: EXP-R01 Mark Russinovich Technical Fellow Windows Azure, Microsoft @markrussinovich The Third Computing Era Security Could
Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro
Scalable, secure, and integrated device management Data Sheet: Endpoint Management and Mobility Overview The rapid proliferation of mobile devices in the workplace is outpacing that of any previous technology
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
IBM MobileFirst Protect: Secure & Manage your mobile enterprise SolutionsConnect Vietnam March 2015 Stephen Downie Growth Markets, Unified Endpoint Management 1 Digital and mobile technologies are making
Industrial Security for Process Automation SPACe 2012 Siemens Process Automation Conference Why is Industrial Security so important? Industrial security is all about protecting automation systems and critical
Kony Mobile Application Management (MAM) Kony s Secure Mobile Application Management Feature Brief Contents What is Mobile Application Management? 3 Kony Mobile Application Management Solution Overview
Executive s Guide to Cloud Access Security Brokers Contents Executive s Guide to Cloud Access Security Brokers Contributor: Amy Newman 2 2 Why You Need a Cloud Access Security Broker 5 You Can t Achieve
datasheet Trend Micro officescan Endpoint protection for physical and virtual desktops In the bring-your-own-device (BYOD) environment, protecting your endpoints against ever-evolving threats has become
APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION Response Code: Offeror should place the appropriate letter designation in the Availability column according
Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features
Protecting Criminal Justice Information: Achieving CJIS Compliance on Mobile Devices Protecting Criminal Justice Information: Achieving CJIS Compliance on Mobile Devices It s common today for law enforcement
Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF Businesses around the world have adopted the information security standard ISO 27002 as part of their overall risk
Back to the Future: Securing your Unwired Enterprise By Manoj Kumar Kunta, Global Practice Leader - Security Back to the Future: Securing your Unwired Enterprise The advent of smartphones and tablets has
Endpoint & Server Protection Brent Biernat First Vice President Network Services May 13, 2014 The Evolution of Cyber Crime 1878 Bell Telephone Teenage Switchboard Operator Disconnected calls, eavesdropped,
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
A COALFIRE PERSPECTIVE Moving to the Cloud A Summary of Considerations for Implementing Cloud Migration Plans into New Business Platforms NCHELP Spring Convention Panel May 2012 DALLAS DENVER LOS ANGELES
Symantec Mobile Management for Configuration Manager 7.2 Scalable, Secure, and Integrated Device Management Data Sheet: Endpoint Management and Mobility Overview The rapid proliferation of mobile devices
GOV.UK Guidance BYOD Guidance: BlackBerry Secure Work Space Published 17 February 2015 Contents 1. About this guidance 2. Summary of key risks 3. Secure Work Space components 4. Technical assessment 5.
Security Risk Management Strategy in a Mobile and Consumerised World RYAN RUBIN (Msc, CISSP, CISM, QSA, CHFI) PROTIVITI Session ID: GRC-308 Session Classification: Intermediate AGENDA Current State Key
Mobility Challenges & Trends The Financial Services Point Of View Nikos Theodosiou Cloud Computing Solutions Presales/Marketing Engineer The New World Agenda The Mobile World The Challenges The Solutions
SESSION ID: AIR-W03R The Incident Response Playbook for Android and ios Andrew Hoog CEO and Co-founder NowSecure @ahoog42 @NowSecureMobile Andrew Hoog Author of three books Incident Response for Android
Bring your own device (BYOD) trends and audit considerations SIFMA IT audit session 4 October 2012 Disclaimer Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited,